Online services, such as web-based email services and social network services, have rapidly gained popularity worldwide during the past decades. It is not uncommon for a person to have a number of accounts for a number of purposes. Following the increased use of such systems there is consequently also increased illegal activity relating to hacking and/or compromising the accounts. Security for these online services can in some cases be considered to be relatively low—typically only a password is needed to access the services and once the service has been compromised it may be possible both to cause damage to the legitimate user and sometimes lock the legitimate user out, for example by changing password.
Some of the online service providers provide information about recent login, containing information about for example when the login occurred, which browser that was used, from which IP the login was performed and from which country. These data have different names, for example “recent login activity” or “last account activity” and are typically available to the user. Users are encouraged to read the list and evaluate whether they think there are inappropriate accesses.
Some of the online service providers also send alerts for suspicious activity if there is a login which does not seem to match previous other recent logins in the recent login activity. However, in many cases the alerts are false, and in other cases real intrusions are not detected. One reason for failing to identify the real intrusions and/or generating false alerts is that is difficult for the service providers to evaluate whether a change in the behavior in the login activity originates from the user voluntarily changing behavior, for example by travelling or logging in from a different device.
A further issue with the processing of recent login activity to identify suspicious activity is that if the intrusion originates from a person close to the legitimate user, for example a family member, friend or colleague, it may be impossible to distinguish these access from accesses by the legitimate user, in particular if the person uses a device belonging to the legitimate user.